In the Honeycomb project, OWASP is assembling the most comprehensive and integrated guide ever attempted to the fundamental building blocks of application security (principles, threats, attacks, vulnerabilities, and countermeasures) through collaborative community efforts.

In the Honeycomb project, OWASP is assembling the most comprehensive and integrated guide ever attempted to the fundamental building blocks of application security (principles, threats, attacks, vulnerabilities, and countermeasures) through collaborative community efforts.

−

OWASP has been steadily plugging away at this problem since 2000, across projects like VulnXML, WAS-XML, Top Ten, WebScarab, WebGoat, Testing Project, Guide, and others. At the same time, OWASP members have been working with the companies building the most important applications in the world. We're trying to bring our practical experience to this difficult area.

+

OWASP has been steadily plugging away at this problem since 2000, across projects like VulnXML, WAS-XML, Top Ten, WebScarab, WebGoat, Testing Project, Guide, and others. At the same time, OWASP members have been hard at work securing the most important applications in the world. We're trying to bring our practical experience to this difficult area.

Although there is already a wealth of information here, we are just starting on this project. We need volunteers to help us complete articles, categorize articles appropriately, eliminate duplication, and more. You can view the [[OWASP Honeycomb Project Roadmap]] to find out what is being worked on and how you can help.

Although there is already a wealth of information here, we are just starting on this project. We need volunteers to help us complete articles, categorize articles appropriately, eliminate duplication, and more. You can view the [[OWASP Honeycomb Project Roadmap]] to find out what is being worked on and how you can help.

Line 9:

Line 10:

==Organization==

==Organization==

−

Application security information cannot be organized into a one-dimensional taxonomy. We've adopted the [http://en.wikipedia.org/wiki/Folksonomy folksonomy] tagging approach to solving this problem. We simply tag our articles with a number of different categories. You can use these category to help get different views into the complex, interconnected set of topics that is application security.

+

Application security information cannot be organized into a one-dimensional taxonomy. We've adopted the [http://en.wikipedia.org/wiki/Folksonomy folksonomy] tagging approach to solving this problem. We simply tag our articles with a number of different categories. You can use these categories to help get different views into the complex, interconnected set of topics that is application security.

The tagging scheme does have a simple hierarchy, though. The top level categories are:

The tagging scheme does have a simple hierarchy, though. The top level categories are:

* [[:Category:Principle|Principles]]

* [[:Category:Principle|Principles]]

−

* [[:Category:Threat|Threats]]

+

* [[:Category:Threat_Agent|Threat Agents]]

* [[:Category:Vulnerability|Vulnerabilities]]

* [[:Category:Vulnerability|Vulnerabilities]]

* [[:Category:Attack|Attacks]]

* [[:Category:Attack|Attacks]]

−

* [[:Category:Countermeasure|Countermeasures]].

+

* [[:Category:Countermeasure|Countermeasures]]

+

* [[:Category:Category:Technical_impact|Technical Impacts]]

+

* [[:Category:Category:Business_impact|Business Impacts]]

Each of these categories may have subcategories. For example, there is a general [[:Category:Vulnerability|Vulnerability]] category for all articles describing a vulnerability. There are also tags for more specific types of vulnerabilities, such as those listed below:

Each of these categories may have subcategories. For example, there is a general [[:Category:Vulnerability|Vulnerability]] category for all articles describing a vulnerability. There are also tags for more specific types of vulnerabilities, such as those listed below:

Line 75:

Line 78:

'''The difficulties in organizing this information'''

'''The difficulties in organizing this information'''

−

Most efforts to organization application security information attempt to force the information into a one-dimensional taxonomy of one sort or another. These efforts (including the [[OWASP Top Ten]]) have failed to adequately make the information useful. By attempting to simplify application security into a one-dimensional taxonomy makes the information useless for many critical tasks.

+

Most efforts to organization application security information attempt to force the information into a one-dimensional taxonomy of one sort or another. These efforts (including the [[OWASP Top Ten]]) have failed to adequately make the information useful. Attempting to simplify application security into a one-dimensional taxonomy makes the information useless for many critical tasks.

'''The approach we’ve taken'''

'''The approach we’ve taken'''

Line 83:

Line 86:

'''Why the name Honeycomb?'''

'''Why the name Honeycomb?'''

−

We are trying to use a distributed, self-organizing approach to create something beyond any of the individuals involved. We admire many of the characteristics of the honeycomb and hope that we can produce something useful.

+

We are trying to use a distributed, self-organizing approach to create something beyond any of the individuals involved. Honeycombs are spontaneously formed in nature from the complex interaction of simple elements. See http://www.sciencedaily.com/releases/2006/08/060818014819.htm.

==How to use the information?==

==How to use the information?==

Line 115:

Line 118:

To find out more about what you can help, please go to [[OWASP Honeycomb Project Roadmap]].

To find out more about what you can help, please go to [[OWASP Honeycomb Project Roadmap]].

+

+

== Feedback and Participation: ==

+

+

We hope you find the OWASP Honeycomb Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to owasp@owasp.org. To join the OWASP Honeycomb Project mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-honeycomb subscription page.]

Line 123:

Line 130:

'''Note: the portal only lists categories that start with the letters of the first 200 articles. To view other categories, select the "next 200" button.'''

'''Note: the portal only lists categories that start with the letters of the first 200 articles. To view other categories, select the "next 200" button.'''